18 matches found
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in OSSLCRMFENCRYPTEDVALUEdecrypt. An attacker in a MitM position can return a CRMF CertRepMessage whose EncryptedValue carries a symmAlg field with an algorithm OID but no parameters, dereferencing NULL when the...
Insertion of Sensitive Information Into Sent Data
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the getSinglePublicChatflow handler in chatflows/index.ts. An attacker can retrieve sensitive flow configuration by requesting a public chatflow and...
Missing Authentication for Critical Function
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the public-chatbotConfig and oauth2-credential/refresh endpoints. An attacker can obtain OAuth 2.0 access tokens for third-party services by retrieving...
Server-side Request Forgery (SSRF)
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on the HTTP deny li...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the process that parses WWW-Authenticate challenges from an upstream registry. An attacker can obtain upstream credentials by manipulating the bearer realm URL to redirect authentication requests to a...
Memory Allocation with Excessive Size Value
Overview github.com/gofiber/fiber/v3 is an Express inspired web framework written in Go. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the parseAndClearFlashMessages function. An attacker can cause excessive memory allocation by sending a...
CVE-2026-2532 lintsinghua DeepAudit IP Address embedding_config.py server-side request forgery
A vulnerability was detected in lintsinghua DeepAudit up to 3.0.3. This issue affects some unknown processing of the file backend/app/api/v1/endpoints/embeddingconfig.py of the component IP Address Handler. Performing a manipulation results in server-side request forgery. It is possible to initia...
Linux Distros Unpatched Vulnerability : CVE-2017-20165
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The...
CVE-2023-28440
Discourse is an open source platform for community discussion. In affected versions a maliciously crafted request from a Discourse administrator can lead to a long-running request and eventual timeout. This has the greatest potential impact in shared hosting environments where admins are untruste...
CVE-2017-20165
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. T...
SUSE CVE-2022-24737
HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn't distinguish between cookies and host...
Arbitrary Code Injection
Overview billz/raspap-webgui is a Simple wireless AP setup and mangement for Debian-based devices. Affected versions of this package are vulnerable to Arbitrary Code Injection in the DisplayProviderConfig function, which is accessible via the $POST'country' in the HTTP POST request handler. A use...
PT-2023-24882 · Itop +1 · Itop +1
Name of the Vulnerable Software and Affected Versions: iTop versions prior to 3.0.4 and 3.1.0 Description: iTop is an open source, web-based IT service management platform. Cross site scripting is possible on pages/UI.php in versions prior to 3.0.4 and 3.1.0. Recommendations: For versions prior t...
PT-2023-26173 · Discourse · Discourse
Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.0.6 of the stable branch Discourse versions prior to 3.1.0.beta7 of the beta and tests-passed branches Description: Discourse is an open source discussion platform. The issue allows more users than permitted to b...
PT-2023-10296 · Cchetanonline · Wp-Copyprotect
Name of the Vulnerable Software and Affected Versions: cchetanonline WP-CopyProtect versions up to 3.0.0 Description: A vulnerability was found in the function CopyProtect options page of the file wp-copyprotect.php. The manipulation of the argument CopyProtect nrc text leads to cross-site...
PT-2022-20195 · Litespeed · Litespeed Quic
Name of the Vulnerable Software and Affected Versions: LiteSpeed QUIC aka LSQUIC versions prior to 3.1.0 Description: The issue arises from the mishandling of MAX TABLE CAPACITY in liblsquic/lsquic qenc hdl.c. No information is provided about the estimated number of potentially affected devices...
CVE-2019-0186
The input fields of the Apache Pluto "Chat Room" demo portlet 3.0.0 and 3.0.1 are vulnerable to Cross-Site Scripting XSS attacks. Mitigation: Uninstall the ChatRoomDemo war file - or - migrate to version 3.1.0 of the chat-room-demo war file...